Allow "adb shell tradeinmode" on userdebug/eng builds.
This lets us test "tradeinmode getstatus" without actually entering
adbd_tradeinmode.
Audits:
I auditd : type=1400 audit(0.0:167): avc: denied { use } for comm="tradeinmode" path="socket:[37027]" dev="sockfs" ino=37027 scontext=u:r:tradeinmode:s0 tcontext=u:r:adbd:s0 tclass=fd permissive=0
I auditd : type=1400 audit(0.0:171): avc: denied { use } for comm="tradeinmode" path="/system/bin/tradeinmode" dev="dm-9" ino=11905585 scontext=u:r:tradeinmode:s0 tcontext=u:r:shell:s0 tclass=fd permissive=0
I auditd : type=1400 audit(0.0:173): avc: denied { read write } for comm="tradeinmode" path="socket:[10171]" dev="sockfs" ino=10171 scontext=u:r:tradeinmode:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0
Bug: 307713521
Test: adb shell tradeinmode getstatus
Change-Id: If85649fb7d8d488f32a9d7098a88530d098196ad
diff --git a/private/shell.te b/private/shell.te
index 839178c..1b8fb8a 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -42,6 +42,11 @@
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
+# Allow shell to execute tradeinmode on userdebug builds, for testing.
+userdebug_or_eng(`
+ domain_auto_trans(shell, tradeinmode_exec, tradeinmode)
+')
+
# Allow shell binaries to exec the perfetto cmdline util and have that
# transition into its own domain, so that it behaves consistently to
# when exec()-d by statsd.
diff --git a/private/tradeinmode.te b/private/tradeinmode.te
index 05315a4..821faf4 100644
--- a/private/tradeinmode.te
+++ b/private/tradeinmode.te
@@ -4,8 +4,14 @@
type tradeinmode_exec, exec_type, file_type, system_file_type;
allow tradeinmode adbd_tradeinmode:fd use;
-
allow tradeinmode adbd_tradeinmode:unix_stream_socket { read write ioctl };
+
+# Allow running from normal shell on userdebug/eng.
+userdebug_or_eng(`
+ allow tradeinmode { adbd shell }:fd use;
+ allow tradeinmode adbd:unix_stream_socket { read write ioctl };
+')
+
allow tradeinmode devpts:chr_file rw_file_perms;
# Allow executing am/content without a domain transition.